Automatic investigation

Cyber deception can be used to automate decision-making in incident response, leading to lower SOC costs. ActiveSOC enables analysts to deterministically validate below-the-threshold events and determine whether an alert is a false positive. Once there is a trigger, we proceed with a deception intervention. ActiveSOC only deploys deception when and where it is needed.

Using ActiveSOC, we can treat a suspicious login attempt example as a trigger, and proceed with a deception intervention—in this case, adding a breadcrumb (a credential) to memory. Thus, if the attacker steals the breadcrumb and uses it, it will be detected immediately and the event can be marked with high fidelity as a real alert.

Other deception interventions could include creating a decoy when we see someone connecting to an IP address not in use, or creating a web application. With ActiveSOC, you only deploy deception when and to where you need it, on demand.